Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 597616 (CVE-2016-8859) - <dev-libs/tre-0.8.0-r2: regex integer overflows in buffer size computations
Summary: <dev-libs/tre-0.8.0-r2: regex integer overflows in buffer size computations
Status: RESOLVED FIXED
Alias: CVE-2016-8859
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2016/q4/183
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-10-20 12:29 UTC by Agostino Sarubbo
Modified: 2020-07-27 00:58 UTC (History)
2 users (show)

See Also:
Package list:
=dev-libs/tre-0.8.0-r2
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-20 12:29:40 UTC
From ${URL} :

Due to incorrect use of integer types and missing overflow checks in
the tre_tnfa_run_parallel function's buffer overflow logic, the TRE
regex implementation (both original version and the one used in musl
libc) are subject to integer overflows in buffer size computation.

If the caller passes to regcomp a regular expression whose internal
representation requires a large number of states and/or a large number
of tags, too little space will be allocated during regexec, resulting
in out-of-bound memory writes.

An attacker who controls the regular expression and/or the string
being searched can potentially exploit these writes to achieve
controlled heap corruption.

All versions of the TRE library and musl libc are affected. The
attached patch fixes the issue in musl and should be easy to adapt for
use with original TRE. musl git master is fixed as of commit
c3edc06d1e1360f3570db9155d6b318ae0d0f0f7.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Patrice Clement gentoo-dev 2017-12-20 08:30:03 UTC
Hey there. I'm not even sure this affects the actual dev-libs/tre package. The official tre repository hasn't been updated in years [1]. You might consider closing this bug.

[1]: https://github.com/laurikari/tre/
Comment 2 Larry the Git Cow gentoo-dev 2020-06-13 01:58:37 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=78f82f7cb10835ccf5799706dd752eada3a0e5b9

commit 78f82f7cb10835ccf5799706dd752eada3a0e5b9
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-06-09 23:03:19 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2020-06-13 01:56:44 +0000

    dev-libs/tre: Security bump
    
    Bug: https://bugs.gentoo.org/597616
    Package-Manager: Portage-2.3.100, Repoman-2.3.22
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16158
    Signed-off-by: Aaron Bauman <bman@gentoo.org>

 dev-libs/tre/files/0.8.0-CVE-2016-8559.patch | 73 ++++++++++++++++++++++++++++
 dev-libs/tre/tre-0.8.0-r2.ebuild             | 67 +++++++++++++++++++++++++
 2 files changed, 140 insertions(+)
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2020-06-13 01:59:44 UTC
@maintainer(s), please call for stable when ready.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-06-20 13:51:04 UTC
x86 stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-06-21 16:59:52 UTC
arm stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-06-21 17:05:16 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-06-22 06:58:38 UTC
amd64 stable
Comment 8 Rolf Eike Beer archtester 2020-06-22 18:34:16 UTC
hppa/sparc stable
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:04:11 UTC
ppc64: ping
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-17 00:40:37 UTC
ppc64 stable.
----

Please cleanup.
Comment 11 Larry the Git Cow gentoo-dev 2020-07-17 10:32:20 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d7c292c9776cfb1e55f8d30d0750907d7b298bce

commit d7c292c9776cfb1e55f8d30d0750907d7b298bce
Author:     John Helmert III <jchelmert3@posteo.net>
AuthorDate: 2020-07-17 03:18:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-07-17 10:32:04 +0000

    dev-libs/tre: Security cleanup, drop <0.8.0-r2
    
    Bug: https://bugs.gentoo.org/597616
    Package-Manager: Portage-2.3.103, Repoman-2.3.23
    Signed-off-by: John Helmert III <jchelmert3@posteo.net>
    Closes: https://github.com/gentoo/gentoo/pull/16722
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/tre/tre-0.8.0-r1.ebuild | 64 ----------------------------------------
 1 file changed, 64 deletions(-)
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-07-27 00:58:27 UTC
This issue was resolved and addressed in
 GLSA 202007-43 at https://security.gentoo.org/glsa/202007-43
by GLSA coordinator Sam James (sam_c).